InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court says EFTA applies to cryptocurrency
On February 22, the U.S. District Court for the Southern District of New York partially granted a cryptocurrency exchange’s motion to dismiss allegations that its inadequate security practices allowed unauthorized users to drain customers’ cryptocurrency savings. Plaintiffs claimed the exchange and its former CEO (collectively, “defendants”) failed to correctly implement a two-factor authentication system for their accounts and misrepresented the scope of the exchange’s security protocols and responsiveness. Plaintiffs filed a putative class action alleging violations of the EFTA and New York General Business Law, along with claims of negligence, negligent misrepresentation, breach of contract, breach of warranty, and unjust enrichment. The defendants moved to dismiss, in part, by arguing that the EFTA claim failed because cryptocurrency does not constitute “funds” under the statute. The court denied the motion as to the plaintiffs’ EFTA claim, stating that the EFTA does not define the term “funds.” According to the court, the ordinary meaning of “cryptocurrency” is “a digital form of liquid, monetary assets” that can be used to pay for things or “used as a medium of exchange that is subsequently converted to currency to pay for things.” In allowing the claim to proceed, the court referred to a final rule issued by the CFPB in 2016, in which the agency, according to the court’s opinion, “expressly stated that it was taking no position with respect to the application of existing statutes, like the EFTA, to virtual currencies and services.” In the final rule, the Bureau stated that it “continues to analyze the nature of products or services tied to virtual currencies.” The court dismissed all of the remaining claims, citing various pleading deficiencies, and finding, among other things, that the “deceptive acts or practices” claim under New York law failed because plaintiffs did not identify specific deceptive statements the defendants made or deceptive omissions for which the defendants were responsible.
DOJ initiates SCRA action over auto auctions and dispositions
On March 3, the DOJ filed a complaint in the U.S. District Court for the Eastern District of North Carolina against a North Carolina-based towing company for allegedly auctioning off, selling, or disposing of vehicles owned by servicemembers through the use of court judgments obtained without filing proper military affidavits. Under the Servicemembers Civil Relief Act (SCRA), plaintiffs seeking a default judgment must “file an accurate military affidavit stating whether or not the defendant is in military service, or that the plaintiff is unable to determine the defendant’s military service status.” Towing companies are also required by the statute to make a good faith effort to determine if a defendant is in military service. A court may not enter a default judgment in favor of a plaintiff until after a servicemember has been appointed an attorney.
According to the complaint, the towing company disposed of servicemembers’ vehicles without complying with these requirements from at least 2017. The DOJ further claims that several factors should have alerted the towing company to the fact that the vehicles belonged to a servicemember, including that many of the vehicles were originally towed from locations on or near a military installation and many of the vehicles “had military decals, patches, and decorations, were financed through lenders geared towards members of the military, and contained military uniforms and paperwork, including orders.” The DOJ seeks damages for the affected servicemembers and civil penalties, as well as a court order enjoining the towing company from engaging in the illegal conduct.
4th Circuit remands privacy suit to state court
On February 21, the U.S. Court of Appeals for the Fourth Circuit held that a proposed class action over website login procedures belongs in state court. Plaintiff alleged that after a nonparty credit reporting agency experienced a data breach, it used the defendant subsidiary’s website to inform customers whether their personal data had been compromised. Because the defendant’s website required the plaintiff to enter six digits of his Social Security number to access the information, the plaintiff alleged violations of South Carolina’s Financial Identity Fraud and Identity Theft Protection Act and the state’s common-law right to privacy. Under the state statute, companies are prohibited from requiring consumers to use six digits or more of their Social Security number to access a website unless a password, a unique personal identification number, or another form of authentication is also required. According to the plaintiff, the defendant’s website did not include this requirement.
The defendant moved the case to federal court under the Class Action Fairness Act and requested that the case be dismissed. Plaintiff filed an amended complaint in federal court, as well as a motion asking the district court to first determine whether it had subject matter jurisdiction, given the U.S. Supreme Court’s ruling in TransUnion LLC v. Ramirez, which clarified the type of concrete injury necessary to establish Article III standing (covered by InfoBytes here). Although the district court held that the plaintiff had alleged “an intangible concrete harm in the manner of an invasion of privacy,” which it said was enough to give it subject-matter jurisdiction “at this early stage of the case,” it dismissed the case after determining the plaintiff had not plausibly stated a claim.
In reversing and remanding the action, the 4th Circuit found that the plaintiff alleged only a bare statutory violation and had not pled a concrete injury sufficient to confer Article III standing in federal court. The appellate court vacated the district court’s decision to dismiss the case and ordered the district court to remand the case to state court. The 4th Circuit took the position that an intangible harm, such as a plaintiff “enduring a statutory violation” is insufficient to confer standing unless there is a separate harm “or a materially increased risk of another harm” associated with the violation. “[Plaintiff] hasn’t alleged—even in a speculative or conclusory fashion—that entering six digits of his SSN on [defendant’s] website has somehow raised his risk of identity theft,” the 4th Circuit said. In conclusion, the 4th Circuit wrote: “We offer no opinion about whether the alleged facts state a claim under the Act. Absent Article III jurisdiction, that’s a question for [plaintiff] to take up in state court.”
9th Circuit concludes district attorneys can sue national banks in state court
On February 27, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s decision to abstain from enjoining a state action brought by a California county district attorney (DA) against a national bank, concluding that the enforcement action was not an exercise of “visitorial powers.” According to the opinion, the DA launched an investigation into the bank’s vendor and issued the bank an investigative subpoena seeking records of its banking activities. The bank objected, claiming the request “improperly infringes on the exclusive visitorial powers of the [OCC]” because it sought to inspect the bank’s books and records. The bank subsequently filed a complaint in the U.S. District Court for the Central District of California asking the court to enjoin the state action and requesting injunctive relief to prevent the DA from taking any action to enforce federal and state lending, debt collection, and consumer laws against the bank, or from exercising visitorial powers in violation of the National Bank Act (NBA). The DA withdrew his investigative subpoena and moved to dismiss for lack of subject matter jurisdiction on the ground that the case was now moot. The motion to dismiss was denied on the premise that the DA had not demonstrated that a “renewed investigative subpoena against [the bank] ‘could not be reasonably be expected.’”
The DA then filed a complaint in state court claiming the bank violated California law by hiring a third-party vendor to place “extensive harassing” debt collection phone calls to residents in the state. The complaint alleged violations of California’s Unfair Competition Law, the Rosenthal Fair Debt Collections Practices Act, and the right to privacy under the California Constitution. In federal court, the bank moved for summary judgment, arguing that the state action was an improper exercise of visitorial powers. The district court, however, ruled that the Younger v. Harris abstention (in which a federal court refrains from staying or enjoining pending state criminal prosecutions absent extraordinary circumstances or state civil enforcement actions when certain conditions are met) applied. The bank appealed.
The 9th Circuit considered two questions: (i) whether the Younger abstention was correctly applied, and (ii) whether the DA’s state court action “was an impermissible exercise of visitorial powers vested exclusively with the OCC.” The 9th Circuit held that the district court was correct in applying the Younger abstention doctrine because (i) “the state action qualified as an ‘ongoing’ judicial proceeding because no proceedings of substance on the merits had taken place in the federal action”; (ii) the state court action implicated an important state interest in consumer protection and nothing in federal law bars a DA from suing a national bank; (iii) the bank had the option to raise a federal defense under the NBA in the state court action; and (iv) the injunction the bank requested in the federal action would interfere with the state court proceeding. The 9th Circuit also rejected the bank’s arguments that the state action constituted an illegal exercise of visitorial powers that only belongs to the OCC or state attorneys general. The 9th Circuit cited the U.S. Supreme Court’s decision in Cuomo v. Clearing House Ass’n, L.L.C., in which the high court “held that bringing a civil lawsuit to enforce a non-preempted state law is not an exercise of visitorial powers,” and that “a sovereign’s ‘visitorial powers’ and its power to enforce the law are two different things.” Relying on the Cuomo holding, the 9th Circuit found that accepting the bank’s position “would mean that actions brought against national banks by federal or state agencies or, for that matter, individuals would be forbidden as unlawful exercises of visitorial powers.” “Such a result is wrong. It contradicts established law and is unsupported by any legal authority cited by [the bank]” and would additionally “raise serious anti-commandeering concerns under the Tenth Amendment.”
8th Circuit reverses debt collection action for lack of standing
On February 24, the U.S. Court of Appeals for the Eighth Circuit vacated and remanded the dismissal of a class action lawsuit concerning a medical collection letter that listed amounts due but did not distinguish between the principal and the interest that the debt collectors were attempting to charge. Plaintiff, who never paid any part of the interest or principal, filed a class action against the defendant debt collectors alleging violations of the FDCPA and the Nebraska Consumer Practices Act (NCPA). The defendants moved for summary judgment, arguing that the plaintiff lacked Article III standing. The district court denied the motion and the jury found for the defendants on all counts except for the NCPA claim, which was not tried before a jury. After trial, the district court determined it had provided improper jury instructions, and sua sponte, entered judgment for the plaintiff as a matter of law on both the NCPA and FDCPA claims. The district court specifically ruled that the NCPA does not allow collection of prejudgment interest by a debt collector without an actual judgment. The defendants appealed.
On appeal, the 8th Circuit focused on whether the plaintiff had standing. The appellate court held that the collection letter did not cause the plaintiff concrete harm, and concluded (quoting TransUnion LLC v. Ramirez, citing Spokeo, Inc. v. Robins) that without a concrete injury in fact, she “is ‘not seeking to remedy any harm to herself but instead is merely seeking to ensure a defendant’s compliance with regulatory law (and, of course, to obtain some money via the statutory damages).’” Without suffering a tangible harm, the appellate court said it could only recognize injuries with “a ‘close relationship’ to harm ‘traditionally’ recognized as providing a basis for a lawsuit in American courts.” The plaintiff pointed to fraudulent misrepresentation and conversion as analogous to her alleged injury, but the appellate court disagreed and determined that the consumer could not establish injury sufficient to satisfy Article III standing. In vacating and remanding the district court’s ruling, the 8th Circuit pointed out that, absent standing, it lacked jurisdiction to decide any other issues raised on appeal.
New York AG sues crypto trading platform for failing to register
On February 22, the New York attorney general filed a petition in state court against a virtual currency trading platform (respondent) for allegedly failing to register as a securities and commodities broker-dealer and falsely representing itself as a cryptocurrency exchange. The respondent’s website and mobile application enable investors to buy and sell cryptocurrency, including certain popular virtual currencies that are allegedly securities and commodities. According to the AG, securities and commodities brokers are required to register with the state, which the respondent allegedly failed to do. The AG further maintained that the respondent claimed to be an exchange but failed to appropriately register with the SEC as a national securities exchange or be designated by the CFTC as required under New York law. Nor did the respondent comply with a subpoena requesting additional information about its crypto-asset trading activities in the state, the AG said. The state seeks a court order (i) preventing the respondent from misrepresenting that it is an exchange; (ii) banning the respondent from operating in the state; and (iii) directing the respondent to undertake measures to prevent access to its mobile application, website, and services from within New York.
Supreme Court agrees to review constitutionality of CFPB’s funding, but not on an expedited basis
The Supreme Court granted the CFPB's request to review the U.S. Court of Appeals for the Fifth Circuit’s decision in Community Financial Services Association of America v. Consumer Financial Protection Bureau but so far has not expedited consideration of the case. Without quick action to expediate consideration by the Court, all CFPB actions will be open to challenge until the Supreme Court issues a decision. At the current pace, the CFPB could remain in this limbo until June of 2024.
In this case, the 5th Circuit held that Congress violated the Constitution’s Appropriations Clause when it created what that Court described as a “perpetual self-directed, double-insulated funding structure” for the agency. As a result, the CFPB’s 2017 Payday Lending Rule is invalid because the CFPB would not have been able to issue it “without its unconstitutional funding.” The implication, as the CFPB itself pointed out in its petition for certiorari, is that all past and future actions that relied on the same funding mechanism—basically everything the agency has ever done or will ever do—are invalid as well.
Although the CFPB had ninety days to seek review of the 5th Circuit’s decision, it took the unusual step of filing the petition in less than 30 days, and specifically urged the Supreme Court to “set this case for argument this Term,” to guarantee a decision by June or early July of this year. The Court’s order issued Monday simply states that the CFPB’s petition is granted, without setting an expediated briefing schedule. As a result, without the Court taking some immediate steps to speed up consideration, the case will be decided under the Court’s standard briefing schedule. This means the matter will be briefed over the next several months with oral argument likely next fall, as part of the Supreme Court’s October 2023 Term. Although a decision could come out any time after oral argument, cases as significant as this case often come out towards the end of the term, i.e., by June 2024.
The Supreme Court’s unwillingness to expedite consideration of the case to date has serious practical implications for the CFPB’s ability to push forward its ambitious agenda. As the CFPB has itself acknowledged, the 5th Circuit’s decision binds lower courts in that circuit unless and until it is overturned. It will likely encourage challenges to CFPB rulemakings and potentially other actions in that circuit. Even outside of the 5th Circuit, lower courts adjudicating CFPB enforcement actions may be unwilling to move those cases forward until the Supreme Court provides direction on this fundamental funding issue. Thus, for the time being, we can expect more challenges and more delays in CFPB enforcement actions.
For financial institutions, our advice remains the same as when the 5th Circuit’s decision was issued. Generally, companies should maintain their day-to-day focus on compliance, as the CFPB may weather this latest constitutional challenge with its full authority, including its enforcement power, intact. In addition, other Federal agencies—for example, the Federal banking agencies, the National Credit Union Administration, the Federal Trade Commission—and state attorneys general and/or state regulators often have overlapping authority to enforce Federal consumer financial law. Finally, companies should continue to assume that rules issued by the Bureau are valid and that they will not be penalized for good-faith reliance on such rules.
District Court says undated collection letter is misleading
On February 9, the U.S. District Court for the Southern District of Florida partially granted a defendant debt collector’s motion to dismiss an action alleging an undated collection letter violated various provisions of the FDCPA. Plaintiff received a collection letter from the defendant providing information on the amount of outstanding debt and instructions on how to dispute the debt, as well as a timeframe for doing so. However, the letter sent to the plaintiff was undated, and the plaintiff asserted that it was impossible for him to determine what “today” meant when the letter said “‘[b]etween December 31, 2021 and today[,]’” or what “now” referred to in the context of “[t]otal amount of the debt now.” He argued that by withholding this necessary information, the letter appeared to be illegitimate and misleading, and ultimately caused him to spend time and money to mitigate the risk of future financial harm. The defendant moved to dismiss for failure to state a claim, maintaining that the letter “fully and accurately stated the amount of the debt and otherwise complied with all requirements of the [statute].” The defendant further argued that the letter “conforms exactly to” the debt collection model form letter provided by the CFPB, and insisted that, because it complied with 12 C.F.R. § 1006.34(d)(2), it fell within the safe harbor provided by Bureau regulations to debt collectors that use the model form letter. The defendant contended that, even if it did not qualify for the safe harbor provision, it is not a violation of the FDCPA for a debt collection letter to be undated. The plaintiff asked the court to ignore the Bureau’s safe harbor provision and find that the undated letter is sufficient to state a plausible FDCPA claims.
In dismissing one of plaintiff’s claims, the court agreed with the defendant that the plaintiff failed to provide any factual or plausible allegations demonstrating “harass[ment], oppress[ion], or abuse” by the defendant (a requirement for alleging a violation of 15 U.S.C. section 1692d). “An undated letter, with little else, is not ‘the type of coercion and delving into the personal lives of debtors that [section] 1692d in particular[] was designed to address,” the court wrote.
However, the court determined that the plaintiff’s other three claims survive the motion to dismiss. First, the court held that the defendant’s reliance on the model form letter “overstates both the meaning and scope of the regulatory safe harbor provided by the CFPB.” Specifically, the plaintiff did not allege that the defendant violated any CFPB regulations—he alleged violations of the FDCPA, and the court explained that nowhere does the Bureau state that using the model form letter “suffices as compliance with the corresponding statutory requirements of [FDCPA] section 1692g.” Moreover, while use of the model form might provide a safe harbor from some of the statute’s requirements, “a safe harbor for the form of provided information is different from a safe harbor for the substance of that information,” the court said, adding that using the model form letter alone does not bar plaintiff’s claims. Additionally, the court determined that under the “least-sophisticated consumer” standard, the plaintiff alleged plausible claims for relief based on the omission of the date in the letter. Among other things, the undated letter could be interpreted as not stating the full amount of the debt, nor does the letter provide a means for plaintiff to assess how the debt might increase in the future if he did not make a prompt payment. With respect to whether the defendant used “unfair or unconscionable means to collect” the debt, the court determined that the undated letter’s misleading nature as to the full amount of the debt might “be ‘unfair or unconscionable’ to the least-sophisticated consumer.”
Illinois Supreme Court says BIPA claims accrue with every transmission
On February 17, the Illinois Supreme Court issued a split decision holding that under the state’s Biometric Information Privacy Act (BIPA), claims accrue “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” The plaintiff filed a proposed class action alleging a defendant fast food chain violated BIPA sections 15(b) and (d) by unlawfully collecting her biometric data and disclosing the data to a third-party vendor without first obtaining her consent. According to the plaintiff, the defendant introduced a biometric-collection system that required employees to scan their fingerprints in order to access pay stubs and computers shortly after she began her employment in 2004. Under BIPA (which became effective in 2008), section 15(b) prohibits private entities from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining “a person’s biometric data without first providing notice to and receiving consent from the person,” whereas Section 15(d) provides that private entities “may not ‘disclose, redisclose, or otherwise disseminate’ biometric data without consent.” While the plaintiff asserted that the defendant did not seek her consent until 2018, the defendant argued, among other things, that the action was untimely because the plaintiff’s claim accrued the first time defendant obtained her biometric data. In this case, defendant argued that plaintiff’s claim accrued in 2008 after BIPA’s effective date. Plaintiff challenged that “a new claim accrued each time she scanned her fingerprints” and her data was sent to a third-party authenticator, thus “rendering her action timely with respect to the unlawful scans and transmissions that occurred within the applicable limitations period.” The U.S. District Court for the Northern District of Illinois agreed with the plaintiff but certified its order for immediate interlocutory appeal after “finding that its decision involved a controlling question of law on which there is substantial ground for disagreement.”
The U.S. Court of Appeals for the Seventh Circuit ultimately found that the parties’ competing interpretations of claim accrual were reasonable under Illinois law, and agreed that “the novelty and uncertainty of the claim-accrual question” warranted certification to the Illinois Supreme Court. The question certified to the high court asked whether “section 15(b) and (d) claims accrue each time a private entity scans a person’s biometric identifier and each time a private entity transmits such a scan to a third party, respectively, or only upon the first scan and first transmission[.]”
The majority held that the plain language of the statute supports the plaintiff’s interpretation. “With the subsequent scans, the fingerprint is compared to the stored copy of the fingerprint. Defendant fails to explain how such a system could work without collecting or capturing the fingerprint every time the employee needs to access his or her computer or pay stub,” the high court said. The majority rejected the defendant’s argument that a BIPA claim is limited to the initial scan or transmission of biometric information since that is when the individual loses the right to control their biometric information “[b]ecause a person cannot keep information secret from another entity that already has it.” This interpretation, the majority wrote, wrongfully assumes that BIPA limits claims under section 15 to the first time a party’s biometric identifier or biometric information is scanned or transmitted. The Illinois Supreme Court further held that “[a]s the district court observed, this court has repeatedly held that, where statutory language is clear, it must be given effect, ‘even though the consequences may be harsh, unjust, absurd or unwise.’” However, the majority emphasized that BIPA does not contain language “suggesting legislative intent to authorize a damages award that would result in the financial destruction of a business,” adding that because “we continue to believe that policy-based concerns about potentially excessive damage awards under [BIPA] are best addressed by the legislature, . . . [w]e respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under [BIPA].”
The dissenting judges countered that “[i]mposing punitive, crippling liability on businesses could not have been a goal of [BIPA], nor did the legislature intend to impose damages wildly exceeding any remotely reasonable estimate of harm.” “Indeed, the statute’s provision of liquidated damages of between $1000 and $5000 is itself evidence that the legislature did not intend to impose ruinous liability on businesses,” the dissenting judges wrote, cautioning that plaintiffs may be incentivized to delay bringing claims for as long as possible in an effort to increase actionable violations. Under BIPA, individuals have five years to assert violations of section 15—the statute of limitations recently established by a ruling issued by the Illinois Supreme Court earlier this month (covered by InfoBytes here).
District Court allows FTC suit against owners of credit repair operation to proceed
On February 13, the U.S. District Court for the Eastern District of Michigan denied a motion to dismiss filed by certain defendants in a credit repair scheme. As previously covered by InfoBytes, last May the FTC sued a credit repair operation that allegedly targeted consumers with low credit scores promising its products could remove all negative information from their credit reports and significantly increase credit scores. At the time, the court granted a temporary restraining order against the operation for allegedly engaging in deceptive practices that scammed consumers out of more than $213 million. The temporary restraining order was eventually vacated, and the defendants at issue (two individuals and two companies that allegedly marketed credit repair services to consumers, charged consumers prohibited advance fees in order to use their services without providing required disclosures, and promoted an illegal pyramid scheme) moved to dismiss themselves from the case and to preclude the FTC from obtaining permanent injunctive and monetary relief.
In denying the defendants’ motion to dismiss, the court held, among other things, that “controlling shareholders of closely-held corporations are presumed to have the authority to control corporate acts.” The court pointed to the FTC’s allegations that the individual defendants at issue were owners, officers, directors, or managers, were authorized signatories on bank accounts, and had “formulated, directed, controlled, had the authority to control, or participated in the acts and practices set forth in the complaint.” The court further held that the FTC’s allegations raised a plausible inference that the individual defendants have the authority to control the businesses and demonstrated that they possessed, “at the most basic level, ‘an awareness of a high probability of deceptiveness and intentionally avoided learning of the truth.’”
The court also disagreed with the defendants’ argument that the permanent injunction is not applicable to them because they have since resigned their controlling positions of the related businesses, finding that “[t]his development, if true, does not insulate them from a permanent injunction.” The court found that “the complaint contains plausible allegations of present and ongoing deceptive practices that would authorize the [c]ourt to award a permanent injunction ‘after proper proof.’” In addition, the court said it may award monetary relief because the FTC brought claims under both sections 13(b) and 19 of the FTC Act and “section 19(b) contemplates the ‘refund of money,’ the ‘return of property,’ or the ‘payment of damages’ to remedy consumer injuries[.]”